Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning, everybody coming at you a little early with the, uh, as my good friend calls it dentist wall. Um, behind me. Simply because ironically, I have to go to the dentist during my normal time slot. So, um, come a little early because, uh, I think it's important to get this topic out there today.
Um, uh, because I'm sure you've seen my stream at marknca GDPR coming up tomorrow. Uh, lots of people asking lots of questions. Um, I have a lot of great discussion around this as always. Join me online or in the comments below.
I want to talk about this subject because there's a lot of unknowns about GDPR. There's a lot of questions, there's a lot of concerns what I want to tackle today's typically is actually how GDPR is going to help companies.
It's going to help security teams specifically. Now, you might think, ok, data protection regulation. The reason why it's going to help security teams is because it insists on stringent security controls everywhere. It does not, it says that you need, um, best practice that you need best effort that you need to be.
Um, uh, you know, basically doing due diligence around security. So yes, that's part of it. There is a little bit of that aspect. Um That's not really what I want to get at. What I want to get at is the requirements around GDPR for.
Um what's the best way to phrase it, the requirements around data management realistically? So you need to be able to tell somebody if they request and say, hey, what do you know about me, Mark? You need to be able to tell them what you know, you need to be able to allow them to correct that and remove that data as well.
That's a far higher bar than most companies are used to when it comes to data man. Now, the reason why this is a very good thing outside of obviously the privacy and control of your own data as a user.
This is a very good thing for security because from a security perspective, the number one thing that I see companies fail time and time again at is the lack of awareness of what data they're holding and the value of that data and the risk that they're willing to accept around that data.
Well, GDPR, at least for personally identifiable information requires you to fix that. It requires you to know what you're holding. Um As far as personally identifiable information, it requires you to know how you got that data. It requires you to manage this entire life cycle because one thing we're really, really bad at is sort of the managing of data and metadata around it where this comes to light for most teams is this concept of a data link.
Now, Data lake evolved out of data warehouse because data warehouse implies sort of orderly organized shelves and structure. A lot of people found that way too hard. So we kind of just started pulling it all together and you know, data pit or data black hole didn't sound as cool as data la.
So data lake is what we've got. But still most companies just dump data into this store and then do analysis on it afterwards. Would you prevents that? When it comes to personally identifiable information, you need to be able to track, not necessarily each drop of water but pretty much each drop of water.
You need to be able to say that you got my email address on this day and I consented to its use in the following manner. And then you need to be able to track that through the life cycle of that piece of data.
So it's very much requiring people to organize classify and manage data as opposed to just shoving it into one place and not worrying about it for a long time until there was a breach. So from a security perspective, this is huge upside, we have a lot of great potential advantage out of GDPR, just the awareness and the required effort for companies to put into GDPR to manage this data finally, because you can't protect something.
If you don't know what it is, you can't apply appropriate controls. If you're not sure what level of risk you're willing to tolerate, you don't know what you need to mitigate if you don't even know that you have a potential vulnerability around this data.
So GDPR is many things, one of which is a wake up call around data management practices. This is a huge win for you, the consumer for us. Um The community also for information security in general because we'll finally be managing our data properly.
We'll be putting the due care into it and hopefully all be better off. Of course before we get to that um Lovely state, it's going to be a mess. It's gonna be a nightmare. We're gonna see what's going on.
It's gonna be a very interesting time, but I think generally this is upside. I'm a huge fan. Um uh I think it's gonna be a challenge but it's a needed challenge that companies need to face. GDPR is a big enough stick to make them face it.
What do you think? How do you guys handle data? Do you actually handle data? Just shove it in the closet and don't worry about it, you know, sort of like that kid cleaning up his room by putting everything under the bed and as long as mom and dad don't look there, it's clean um you know, that's the kind of concept are you managing data?
Are you managing data? Yeah. marknca in the comments below, as always, security only gets better if we talk about it, if we get it out in the open, if we discuss it. Um Let's start that discussion.
I hope you guys are set up for a fantastic Thursday. I will talk to you online and in the forums and such and I will see you tomorrow. Take care, talk to you soon.